Systems and methods for generation of signature generation using interactive infection visualizations

ABSTRACT

According to one embodiment, a malware detection and visualization system includes one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, that accesses a first set of information that comprises (i) information directed to a plurality of observed events and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of observed events; and generates a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of observed events, a second event of the plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein at least one of (i) the plurality of observed events or (ii) the one or more relationships constitutes an anomalous behavior is provided.

FIELD

Embodiments of the disclosure relate to the field of cyber security. More specifically, embodiments of the disclosure relate to a system for generating reference models to describe known instances of anomalous, or more specifically, malicious behavior and interactive display screens to illustrate a comparison between incoming data and one or more reference models.

GENERAL BACKGROUND

Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto endpoint devices present on the network, such as vulnerabilities within operating systems for example. These vulnerabilities may be exploited by a person allowing the person to gain access to one or more areas within the network not typically accessible. For example, a person may exploit a vulnerability to gain unauthorized access to email accounts and/or data files.

While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for attack by exploits, namely malicious computer code that attempts to acquire sensitive information or adversely influence or attack normal operations of the network device or the entire enterprise network by taking advantage of a vulnerability in computer software.

Currently, a threat detection system observes suspicious or malicious exploits and presents the information regarding the exploits in a list format. While the list format may provide security personnel information directed to uncovered exploits or other detected malicious actions, it fails to identify any relationships between the exploits that would allow security personnel to better understand potential effects, both detected and undetected, caused by the malicious exploit.

In addition, current systems fail to generate reference models based on observed exploits, malicious behaviors, anomalous behaviors (e.g., deviating from typical or expected behavior) or the like for comparison against events observed at a later time.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:

FIG. 1 a flowchart illustrating an exemplary method for generating a reference model and the applications that may be performed by a malware detection and visualization system (MDVS) using the generated reference model.

FIG. 2 is a block diagram of an exemplary malware detection and visualization system (MDVS) 200 coupled to a network 240.

FIG. 3 is an exemplary embodiment of a logical representation of the MDVS of FIG. 2.

FIG. 4 is an exemplary portion of data received by the event log engine 230 expressed in eXtensible Markup Language (XML).

FIG. 5 is an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML.

FIG. 6 is an exemplary illustration of a comparison of a reference model of an association of known malicious events with an association of potentially malicious observed events.

FIGS. 7A-7D are exemplary diagrams illustrating the exploit detection process performed by the matching logic 213 comparing an association of potentially malicious observed events with a reference model of known malicious events.

FIG. 8 is an exemplary illustration of a comparison 800 of reference models 820 and 821 with an association of potentially malicious observed events.

FIG. 9 is an exemplary illustration of a process of generating a malware family reference model.

FIG. 10 is an exemplary embodiment of an interactive display screen for display of associated events and/or particulars of the associated events used in generating the interactive display screens of FIGS. 12-14B.

FIG. 11 is an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML.

FIG. 12 is an exemplary illustration of a first embodiment of an interactive display screen for display of associated events and particulars of the associated events.

FIG. 13 is an exemplary illustration of a detailed embodiment of the interactive display screen of FIG. 12.

FIG. 14A is an exemplary illustration of a portion of an interactive display screen for enabling a viewer to generate a signature of a selected event, display particulars of the selected event and/or generate an alert for a selected event.

FIG. 14B is an exemplary illustration of a second embodiment of an interactive display screen for enabling a viewer to generate a signature of a selected event.

FIG. 15 is an exemplary portion of the generated signature (corresponding to the selected section in FIG. 14B) expressed in XML.

DETAILED DESCRIPTION

Various embodiments of the disclosure relate to a malware detection and visualization system that improves exploit detection and/or visual representation of the detection of suspected malware. The malware detection and visualization system includes a machine learning engine that generates reference models used in exploit detection as well as interactive display screen information based on data transmitted to the malware detection and visualization system from one or more endpoint devices, one or more threat detection systems and/or cloud computing services. The generated reference models may be combined to generate malware family reference models allowing the malware detection and visualization system to compare observed events on the network to particularized malware threats in the form of malware affecting a specific file type or malware detected in a common location (e.g., email). Alternatively, a comparison with several reference models or with a large malware family reference model may provide detection against a large range of malware threats. The malware detection and visualization system may take the form of a security appliance or security cloud service, for example. Alternatively, an electronic device may be configured with software, hardware or firmware that includes a malware detection and visualization system. The malware detection and visualization system may be implemented in real-time (e.g., as incoming data is being processed) or as a forensic investigative tool (e.g., after the incoming data has been processed to determine the root cause of a malware exploited has been executed).

The malware detection and visualization system also includes a user interface rendering subsystem that generates interactive display screens from the interactive display screen information and allows security personnel to select displayed malicious events in order to acquire additional information concerning such events as well as generate an alert or a (malware) signature that may be used for subsequent detection of malware associated with these malicious events. The interactive display screens provide a network administrator with a visual representation that compares a reference model of events (e.g., known exploits) and the relationships connecting the events with a group of potentially malicious events and their relationships to one another. The group of potentially malicious events may be derived from observations of endpoint devices, threat detection systems and/or cloud computing services connected to the malware detection and visualization system over a network.

Specifically, in one embodiment, the visual representation allows a viewer to convert a list of events into a nodal diagram in either a top-down representation or a left-to-right representation. The nodal diagrams may enable a view, such as network security personnel, to see how each event relates to one another, if at all. Furthermore, the nodal diagrams provide the visual representation necessary for a viewer to select one or more events, referred to herein as a “grouping” of events, to generate a signature or alert. The signature of a grouping of events may be used as a reference model to check for a particular sequence of events in data received in the future or added to an existing reference model. The alert may be used to notify the network administrator of the observation of a grouping of events that typically implies malicious activity on the network thereby allowing prevention actions to be taken to guard against the malicious activity.

Embodiments of the invention may be employed by or take the form of a network device or apparatus implementing a malware detection and visualization system (MDVS), where the malware detection and visualization system includes a machine learning engine for analyzing data received by the MDVS. The data may include information regarding the observation of events by a server or client device or other system (called an “endpoint”), a threat detection systems (TDS) and/or a cloud computing service. In some embodiments, the observations of events may take place while an endpoint device is operating in real-time or the observations may take place while incoming data is being processed in one or more virtual machines. Examples of incoming data may include, but are not limited or restricted to, network traffic, static files containing structured or unstructured data maintained locally or on a peripheral device and/or executable files. According to one embodiment of the disclosure, an endpoint device, TDS or cloud computing service transmits data regarding an observation of one or more events and/or relationships when an anomalous characteristic of incoming data is observed and thus indicative of an exploit. If so, one or more portions of data may be labeled “suspicious.” Throughout the specification, claims and figures, the term “network traffic” will be used in the discussion but any form of incoming data may be substituted.

A TDS may perform static and/or dynamic analyses on incoming data (e.g., network traffic) to determine whether an object of the incoming data is suspicious or malicious. An illustrative example of the static and dynamic analyses is illustrated in the threat detection and prevention (TDP) system in a prior U.S. Patent Application entitled “System, Apparatus and Method for Automatically Verifying Exploits Within Suspect Objects and Highlighting the Display Information Associated with the Verified Exploits,” U.S. patent application Ser. No. 14/228,073 filed Mar. 27, 2014, the contents of which are incorporated by reference.

In particular, the machine learning engine may be activated automatically in response to an alert condition that signifies detection of a malicious event by an endpoint device, a TDS and/or a cloud computing service within the network. Alternatively, the machine learning engine may be activated in accordance with a time-based schedule or manually by a user such as security personnel. For instance, the machine learning engine may be activated manually upon selecting a particular visual representation associated with the observance of a malicious event, where one or more events may be concurrently presented on an interactive display screen, and then subsequently selecting a prescribed item on the display screen (e.g., “exploit visualization” button or “timeline visualization” button).

After activation, the machine learning engine may be adapted to obtain received data from a machine learning data store and/or event log, where the received data may include metadata associated with malicious events detected by one or more endpoint devices, TDSes and/or a cloud computing service. The machine learning engine generates a visual representation in the form of a nodal diagram illustrating a potential malware infection, where each node or relationship included in the nodal diagram represents an action, operation, file, process, etc. associated with an anomalous event or relationship. This provides a network administrator with one or more displays directed to the sequence of events to identify which network device(s) and or file(s) within the network may have been infected by the anomalous event. For example, the anomalous event may be an atypical, but non-malicious, operation or relationship; alternatively, the anomalous event may be realized as a malicious event or relationship.

In the nodal diagrams, each event may be selected to display additional information, including, any or all of the following metadata directed to the observance of the selected event: (1) time and date of observance; (2) address information such as the path within the file system in which the affected file is located; (3) process identification of the affected process (if applicable); (4) the particulars of the particular electronic device or cloud computing service that detected the event; and/or (5) the relationship to one or more events associated with the selected event.

I. Terminology

In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, a controller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.

Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic load library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.

An “exploit” may be construed broadly as information (e.g., executable code, data, command(s), etc.) that attempts to take advantage of a vulnerability and/or an action by a person gaining unauthorized access to one or more areas of a network, a computer and/or an electronic device. Typically, a “vulnerability” is a coding error or artifact of software (e.g., computer program) that allows an attacker to alter legitimate control flow during processing of the software (computer program) by a network device, and thus, causes the network device to experience undesirable or anomalous behaviors. The undesired or anomalous behaviors may include a communication-based anomaly or an execution-based anomaly, which, for example, could (1) alter the functionality of an network device executing application software in an atypical manner (a file is opened by a first process where the file is configured to be opened by a second process and not the first process); (2) alter the functionality of the network device executing that application software without any malicious intent; and/or (3) provide unwanted functionality which may be generally acceptable in another context. To illustrate, a computer program may be considered as a state machine, where all valid states (and transitions between states) are managed and defined by the program, in which case an exploit may be viewed as seeking to alter one or more of the states (or transitions) from those defined by the program. The term “anomalous behavior” should be understood to include either (i) a first event that is an atypical occurrence or a malicious occurrence, or (ii) a relationship identifying that the first event is based on a second event, the relationship being an atypical relationship between the first and second event or a relationship between the first and second events that is malicious to the network, electronic device on which the relationship appears, or to one or more users of the electronic device or of the network.

According to one embodiment, malware may be construed broadly as computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of a network device or misappropriate, modify or delete data. Conventionally, malware is often said to be designed with malicious intent.

The term “transmission medium” is a physical or logical communication path between two or more network devices (e.g., any devices with data processing and network connectivity such as, for example, a security appliance, a server, a mainframe, a computer such as a desktop or laptop, netbook, tablet, firewall, smart phone, router, switch, bridge, etc.). For instance, the communication path may include wired and/or wireless segments. Examples of wired and/or wireless segments include electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), or any other wired/wireless signaling mechanism.

The term “network device” should be construed as any electronic device with the capability of connecting to a network. Such a network may be a public network such as the Internet or a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks. Examples of a network device may include, but are not limited or restricted to, a laptop, a mobile phone, a tablet, a computer, etc.

The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware. Also, the terms “compare” or “comparison” generally mean determining if a match (e.g., a certain level of correlation) is achieved between two items where one of the items may include a particular signature pattern.

The term “signature” designates an indicator of a set of characteristics and/or behaviors exhibited by one or more exploits that may not be unique to those exploit(s). Thus, a match of the signature may indicate to some level of probability, often well less than 100%, that a portion of received data constitutes an exploit. In some contexts, those of skill in the art have used the term “signature” as a unique identifier or “fingerprint,” for example of a specific virus or virus family (or other exploit), which is generated for instance as a hash of its machine code, and that is a special sub-case for purposes of this disclosure.

The term “observed” indicates that an event or relationship has been detected with a prescribed level of confidence (or probability). A first event or relationship may be observed with a first confidence while a second event or relationship may be observed with a second confidence, the second confidence being lower or higher than the first confidence. Examples of an event may include, but are not limited or restricted to, a process (e.g., an executable file), a non-executable file (e.g., a text document or a registry file), a unique address or location (e.g., a particular website, Internet Protocol (IP) address, or file location).

The term “reference model” should be interpreted as an association of a plurality of events wherein each event is connected to another event and the association includes at least one anomalous behavior (e.g., anomalous event or relationship). For example, a reference model may include a process that (1) injects code into a file unexpectedly and (2) opens multiple files wherein the opening of the files constitutes anomalous behavior. Throughout the specification and claims, the terms “reference model” and “signature” will be used interchangeably.

The term “relationship” means the connection or association of a first event with a second event. Examples of a relationship may include, but are not limited or restricted to, an event: starting a process, terminating a process, modifying a file, generating a file, opening a file, closing a file, deleting a file, infecting a file and/or process, injecting code into file and/or process and/or generating a mutual exclusion (mutex) on a particular file, process, application, etc.

The term “particular” should be interpreted as a characteristic of an event. Examples of particulars include, but are not limited or restricted to, a process identification (PID), a process name, a file name, a process or file path (i.e., unique location on an electronic device), the date and/or time the event was observed and/or occurred, an application programming interface (API) call involved and/or a hash value of the one or more processes or files involved.

Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.

The invention may be utilized for displaying an interactive infection visualization detailing detection, verification and/or prioritization of malicious content. As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.

II. Malware Detection and Visualization System

Referring to FIG. 1, a flowchart illustrating an exemplary method for generating a reference model and the applications that may be performed by a network device such as, for example, a malware detection and visualization system (MDVS), using the generated reference model is shown. In block 110, the MDVS receives data describing observed events from one or more sources connected to a network. The sources may include one or more endpoint devices, one or more threat detection systems (TDSes) and/or cloud computing services. The received data may provide one or more particulars of the observed events and/or describe relationships between the observed events.

At block 120, the MDVS generates a reference model based on, at least, the received data. The MDVS may use the generated reference to: (i) perform an exploit detection process by comparing data received from one or more sources at a later time to the generated reference model and provide exploit detection feedback to block 120, if applicable (block 130); (ii) generate a malware family reference model from a plurality of generated reference models or reference models received over the network (block 140); and/or (iii) generate one or more interactive display screens to aid in the detection and tracing of exploits and/or one or more anomalous behaviors and provide interactive display screen input to block 120, if applicable (block 150).

Referring to FIG. 2, a block diagram of an exemplary MDVS 200 coupled to a network 240 is shown. The network 240 provides communication connectivity between the MDVS 200 and one or more sources, wherein the sources may include one or more endpoint devices 250 ₁-250 _(N) (where N=2 for this embodiment), one or more threat detection systems (TDSes) 260 ₁-260 _(M) (where M=3 for this embodiment) and/or the cloud computing services 241. The sources are communicatively coupled to a management system 242, which is adapted to manage the one or more sources as well as the MDVS 200. For instance, the management system 242 may be configured to perform content updates (e.g., upload new rules or modified rules, delete rules, modify parameters that are utilized by the rules, upload metadata stored within other TDSes, or certain metadata associated with the one or more endpoint devices 250 ₁ and/or 250 ₂) within the one or more endpoint devices 150 ₁ and 150 ₂ and/or within the one or more TDSes 260 ₁-260 ₃.

As shown in FIG. 2, the MDVS 200 is an electronic device that is adapted to analyze information associated with a plurality of events observed at one or more sources (the endpoint devices 250 ₁ and 250 ₂, the TDSes 260 ₁-260 ₃ and/or the cloud computing services 241). The MDVS 200 receives data of the observed events and the particulars of the events over the network 240. The network 240 may include a public network such as the Internet, a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks.

In general, the endpoint devices 250 ₁ and 250 ₂ may observe one or more events during operation of the device and transmit a log of the events along with particulars of the events to the MDVS 200. In addition, the TDSes 260 ₁-260 ₃ may observe one or more events while processing, for instance in one or more virtual machines, one or more portions of data received over the network 240. The TDSes 260 ₁-260 ₃ may then transmit a log containing the events and their particulars to the MDVS 200. The management system 242 controls the transmission of the event logs by the endpoint devices 250 ₁ and 250 ₂ and/or the TDSes 260 ₁-260 ₃. For example, the management system 242 may transmit notifications to the endpoint devices 250 ₁ and 250 ₂ and/or the TDSes 260 ₁-260 ₃ instructing the sources that the event logs should be transmitted to the MDVS 200.

As illustrated in FIG. 2, the MDVS 200 includes a machine learning engine 210, a user interface (UI) rendering subsystem 220 and an event log engine 230. Herein, the machine learning engine 210 may include a machine learning logic 211, a machine learning data store 214, a gathering logic 212, a matching logic 213, and a reference model generation logic 215. The UI rendering subsystem 220 may include a display generation logic 221 and a UI logic 222. The event log engine may include an event log control logic 231 and an event log 232.

In one embodiment, the event log control logic 231 is responsible for receiving data associated with a malicious event that may be detected at and transmitted by the one or more sources over the network 240. Upon receiving the data, the event log control logic 231 may categorize the event and any associated events included in the data, for example, according to the type of event (e.g., executable file, text file, registry file, etc.). The data associated with a malicious event includes the particulars of the malicious event and the particulars of any observed events associated with the malicious event. The event log control logic 231 further adds the particulars of each observed event to the event log 232. Therefore, the MDVS 200 is able to easily access the event particulars in a sorted manner when generating an interactive display screen.

In a second embodiment wherein the MDVS 200 is deployed within an endpoint device 250 ₁, the event log control logic 231 is also responsible for observing the events at the endpoint device on which the MDVS 200 is deployed and for adding data associated with an observed malicious event to the event log 232 as well.

The machine learning logic 211 is responsible for analyzing the data associated with the observed events. The gathering logic 212 of the machine learning logic 211 may query the event log 232 to obtain the one or more portions of the data. The matching logic 213 of the machine learning logic 211 may analyze the one or more portions of the data to generate associations of one or more events based on the particulars of the events. For instance, the machine learning logic 211 may realize a first process (e.g., a parent process) launched several secondary processes (e.g., child processes) and that the child processes subsequently modified one or more files. In addition, the machine learning logic 211 may perform a comparison between the above-referenced realization and one or more reference models formed by events and relationships where one of these events or relationships may be characterized as a known anomalous behavior. Furthermore, the reference model generation logic 215 of the machine learning logic 211 may generate reference models of malware families from the data stored in the event log 232 and data stored in the machine learning data store 214 (the generation of reference models of malware families will be described in detail below). The machine learning logic 211 also generates the interactive display screen information based on the data in the machine learning data store 214 and the event log 232. In one embodiment, the generated reference models of malware families and the interactive display screen information may be expressed in eXtensible Markup Language (XML) and stored in the machine learning data store 214 (as will be discussed below with FIGS. 4 and 5).

The machine learning data store 214 stores the reference models generated by the machine learning logic 211 or received over the network 240 if applicable. For example, an MDVS may be deployed within an endpoint device 250 ₁ and/or 250 ₂, within one or more TDSes 260 ₁-260 ₃, or within the cloud computing services 241. In that such an embodiment, the MDVS 200 may receive one or more reference models generated by the MDVS deployed within the endpoint device 250 ₁. The machine learning data store 214 also stores interactive display screens generated by the machine learning logic 211. In the embodiment wherein an MDVS is deployed within the endpoint device 250 ₁, the data received over the network may include previously generated reference models and/or interactive display screen information. The MDVS 200 may adopt such data without modification or analyze such data to generate its own reference models and/or interactive display screen data in combination with previously received data.

The display generation logic 221 is responsible for displaying the interactive display screens generated from the interactive display screen information generated by the machine learning logic 211. When a request to display an interactive display screen is received by the MDVS 200, the user interface logic 222 notifies the machine learning logic 211. The machine learning logic 211 then queries the machine learning data store 214 and the event log 232 for the appropriate data (e.g., data pertaining to the relevant event(s)) and generates the interactive display screen information. The machine learning logic 211 may transmit the interactive display screen information to the display generation logic 221 or the display generation logic 221 may query the machine learning data store 214 to obtain the interactive display screen information. Upon obtaining the interactive display screen information, the display generation logic 221 generates the physical display screen that illustrates the association of one or more anomalous events and/or a comparison of one or more reference models of events that constitute known anomalous behaviors with an association of one or more observed events. In some embodiments, the display screen may contain the particulars of the events.

The UI logic 222 is responsible for receiving requests for the generation of an interactive display screen, requests to display particulars of an event and/or requests to generate signatures (e.g., reference models).

FIG. 2 also illustrates optional reference model generators 243 ₁-243 ₂ attached to sources connected to the network 240. The reference model generator 243 ₁ may be connected to (or part of) the TDS 260 ₂. The reference model generator 243 ₁ may generate one or more reference models based on network traffic analyzed by the TDS 260 ₂. The one or more reference models may be transmitted to the MDVS 200 through the network 240 and stored in either the event log 232 or the machine learning data store 214. Similarly, the reference model generator 243 ₂ may generate reference models based on data supplied to the management system from a network administrator and/or one or more sources, for example, the endpoint devices 250 ₁ and/or 250 ₂, one or more TDSes 260 ₁-260 ₃ and/or the cloud computing services 241. The generated reference models may be transmitted to the MDVS 200 through the network 240 and stored in either the event log 232 or the machine learning data store 214.

Referring to FIG. 3, an exemplary embodiment of a logical representation of the MDVS of FIG. 2 is shown. The MDVS 200 includes one or more processors 300 that are coupled to communication interface logic 301 via a first transmission medium 320. Communication interface 301 enables communications with endpoint devices 250 ₁ and/or 250 ₂, one or more TDSes 260 ₁-260 ₃, the cloud computing services 241 and/or the management system 242 of FIG. 2. According to one embodiment, communication interface 301 may be implemented as a physical interface including one or more ports for wired connectors. Additionally, or in the alternative, communication interface logic 301 may be implemented with one or more radio units for supporting wireless communications with other electronic devices.

The processor(s) 300 is further coupled to the persistent storage 310 via transmission medium 325. According to one embodiment of the disclosure, persistent storage 310 may include (a) the machine learning engine 210, including the machine learning logic 211 and/or the machine learning data store 214; (b) the UI rendering subsystem 220 that includes the display generation logic 221 and the UI logic 222; and (c) the event log engine 230 including the event log control logic 231 and the event log 232. Of course, when implemented as hardware, one or more of these logic units could be implemented separately from each other.

III. Reference Model Generation

Referring to FIG. 4, an exemplary portion of data received by the event log engine 230 expressed in XML is shown. As described above, the event log control logic 231 receives data transmitted by the one or more sources over the network 240 pertaining to one or more events and the particulars of the events. FIG. 4 illustrates one embodiment of data of events and particulars of the events received by the event log control logic 231. The data illustrated in FIG. 4 is stored in the event log 232 until it is gathered by the gathering logic 212 (discussed below).

FIG. 4 illustrates details of a first event observed at a time having a timestamp of “200.” For example, lines 3-12 state one or more attributes of the process information of a first event at a time having a timestamp value of “200” detailing: (1) the value of the event (“<value>”); (2) the process identification of the event (“<pid>”); (3) the parent process identification of the event (“<ppid>”); (4) the parent name of the event (“<parentname>”); (5) the file size of the event (“<filesize>”); (6) the hash value (e.g., a particular message digest (MD5) hash value) of the event (“<md5sum>”); (7) the securer hash algorithm (SHA) value of the event (“<shalsum>”); and (1) the file identification of the event (“<fid>”). Similarly, lines 13-20 and 21-26 recite event particulars of a second and third event at times having timestamp values of “300” and “350,” respectively.

Based on the data illustrated in FIG. 4, a reference model may be generated by the reference model generation logic 215 of FIG. 2. The generation of a reference model may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like. Upon the triggering of the generation of a reference model the gathering logic 212 gathers the data illustrated in FIG. 4 and passes the data to the reference model generation logic 215. Alternatively, the data illustrated in FIG. 4 may be gathered by the gathering logic 212 and passed to the machine learning logic 211 which will generate an association of potentially malicious events for the matching logic 213 to use in an exploit detection process (discussed below).

Referring to FIG. 5, an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML is shown. As mentioned above, the gathering logic 212 gathers the data illustrated in FIG. 4 and may pass the data to the reference model generating logic 215. The reference model generating logic 215 generates a reference model for use in an exploit detection process. The generated reference model may be expressed in XML as illustrated in FIG. 5 and subsequently stored in the machine learning data store 214. Alternatively, FIG. 5 may represent an association of potentially malicious events that will be used by the matching logic 213 in an exploit detection process, such as the exploit detection process performed by the matching logic 213 illustrated in FIGS. 6-7C.

The modifications to the data as illustrated in FIG. 4 to obtain the data as illustrated in FIG. 5 provide indicators of the beginning and end of event data (e.g., “<nodes>”) as well as the relationship (e.g., “<edge>”) between two events. The modifications may be performed by either the reference model generation logic 215 or the machine learning logic 211.

IV. Applications of Reference Model(s)

A. Improved Exploit Detection

Referring now to FIG. 6, an exemplary illustration of a comparison of a reference model of an association of known malicious events with an association of potentially malicious observed events is shown. The machine learning logic 211 may perform an exploit detection process by performing the comparison illustrated in FIG. 6. The exploit detection process may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like.

The determination of selecting which reference model(s) to use in a comparison such as that illustrated in FIG. 6 is based on one or more factors. Examples of factors include, but are not limited or restricted to, the infection type of one or more events included in the received data (the association of potentially malicious observed events), the type of a file included in the received data and/or the most commonly matched reference models. Alternatively, the received data may be compared to all of the reference models.

Upon the triggering of the exploit detection process, the gathering logic 212 of the machine learning logic 211 initially gathers the data received over the network 240 and stored in the event log 232. The gathering logic 212 also gathers the one or more reference models that will be used in the comparison. The matching logic 213 of the machine learning logic 211 compares the received data and the one or more reference models gathered by the gathering logic 212.

In FIG. 6, the interactive display screen 600 illustrates a side-by-side comparison of two nodal diagrams; the left side being the reference model 620 and the right side being an association of observed potentially malicious events 630 (“the association 630”). The reference model 620 represents an association of known or observed events and the relationships between the events. The observations or knowledge is such that the event and/or relationship was observed and/or known to have occurred with at least a certain probability. The reference model generation logic 215 of FIG. 2 may generate reference models such as reference model 620 from one or more of the data stored in the machine learning data store 214, the data stored in the event log 232 and/or data received over the network 240.

The events Event_1 602, and Event_2 603 through Event_m 604 were observed as a result of the performance of an action or operation caused by the Process_A 601. The events appearing in the reference model 620 are present as a result of one or more events or relationships being deemed at least anomalous, where one or more events or relationships may have been deemed malicious. In one embodiment, the Process_A 601 may have been deemed malicious by the TDS 260 ₁ of FIG. 2 and such information transmitted to the MDVS 200. In some embodiments, all behaviors caused by one malicious event may be considered malicious while in other embodiments, only a subset of the events caused by a malicious event may be deemed malicious.

Referring to the association 630, the solid lines appearing in the association 630 signify that the events and/or relationships (i.e., the line connecting two events) were observed with at least a first confidence (e.g., observation that the event occurred or existed exceeds a first predetermined probability threshold). The dotted lines appearing in the association 630 signify that the events and/or relationships were observed with a second confidence, wherein the second confidence is different and less than the first confidence.

In the comparison performed by the matching logic 213 as illustrated in FIG. 6, some events and/or relationships may be equivalent in both the reference model 620 and the association 630. As is illustrated, the events Event_1 602 and Event_2 603 appear in both the reference model 620 and the association 630. In addition, the machine learning logic 211 may infer that one or more events and/or relationships were observed and should be included in the association 630 based on the reference model 620. For example, the machine learning logic 211 may “learn” that when two events are observed, a third typically is as well and therefore infer that the third event was observed, adding it to association 630. The concept of the machine learning logic 211 learning when events and/or relationship are likely to have be observed by recognizing trends and patterns based on the data stored in the machine learning data store 214, stored in the event log 232 and/or received over the network 240 will be explained in detail along with the discussion of FIGS. 7A-7C below.

Referring to FIGS. 7A-7D, exemplary diagrams illustrating the exploit detection process performed by the matching logic 213 comparing an association of potentially malicious observed events with a reference model of known malicious events are shown. The changes seen between FIG. 7A to FIG. 7B and from FIG. 7B to FIG. 7C illustrate one embodiment of a process the machine learning logic 211 may perform to determine whether at least a portion of the association of potentially malicious observed events matches with one or more reference models. In one embodiment, the progression from FIG. 7A to FIG. 7B to FIG. 7C may be considered the development of one interactive display screen. Alternatively, FIGS. 7A-7C may be considered separate interactive display screens providing a viewer three different perspectives of the potentially malicious events and/or relationships included within the association of potentially malicious events (the right side of the interactive display screen). The embodiment in which FIGS. 7A-7C may be interactive display screens will be discussed below.

The following discussion of FIGS. 7A-7C will explain an embodiment wherein the three figures illustrate the exploit detection process performed by the machine learning logic 211. In addition, the discussion of the changes seen from FIG. 7C to FIG. 7D will explain the enhancement of a reference model based on the data transmitted to the MDVS 200.

Referring to FIG. 7A, an initial stage of the exploit detection process is shown. The exploit detection process includes a comparison 700 that includes the reference model 730 and the association of potentially malicious events 740 (“the association 740”). The reference model 730 includes the event 1.exe 701 that is seen to cause the performance of an action or operation in the events 1_M.exe 702, “hidden files” 703, “tampered files” 704, “www.web1.com resolved to 199.16.199.2” 705, “199.16.199.2” 706, firefox.exe 707 and C:/Windows/explorer.exe 708.

In addition, the reference model 730 details the relationships between the events. For example, FIG. 7A provides that the event 1.exe 701 caused the creation of a mutex to be performed that resulted in the observation of the event 1.exe_M 702. Likewise, it is seen that the event 1.exe 701 exhibited malicious action that resulted in various hidden files 703. Similarly, the relationships between the event 1.exe 701 and the other events included in the reference model 730 are illustrated in the comparison 700.

The association 740 includes the event 1.exe 701 that is seen to cause the performance of an action or operation resulting in the events 1_M.exe 721, “hidden files” 722, “tampered files” 723, “disabled taskmanager” 724 and C:/Windows/4.exe 725. In contrast to the reference model 730, not all of the relationships between the events included in the association 740 are illustrated in FIG. 7A. The association 740 shown in FIG. 7A may not include enough data for the MDVS 200 to initially recognize all events and relationships with at least a first confidence, as mentioned above. As illustrated in FIG. 7A, the machine learning logic 211 may not initially have access to data allowing the machine learning logic 211 to determine relationships between the event 720 and the events 722, 723 and 725 with at least the first confidence.

Therefore, as one embodiment, FIG. 7A illustrates the first stage in the process of generating the association 740 that is shown in FIG. 7C. For example, the data used to generate the association of FIG. 7A may have been transmitted to the MDVS 200 from the TDS 260 ₁. The TDS 260 ₁ may have, for example, processed a portion of network traffic it received in one or more virtual machines and observed, among others, the events and relationship included in the association 740 of FIG. 7A. One or more of the events and/or relationships included in the association 740 of FIG. 7A may be been deemed malicious, prompting the TDS 260 ₁ to transmit the observations to the MDVS 200.

Referring to FIG. 7B, a second stage of the exploit detection process is shown. The association 740 illustrated in FIG. 7B is seen to have two additional events included compared to the association 740 of FIG. 7A. In particular, the two events, “www.web1.com resolves to 199.16.199.2” 750 and “199.16.199.2” 751, are illustrated using dotted lines. In the embodiment of FIGS. 7A-7C, dotted lines are intended to represent that the events and/or relationships were observed with a second confidence, meaning that the data available to the machine learning logic 211 did not provide as much support for the occurrence or existence of the events illustrated using dotted lines as the data did for the occurrence or existence of the events illustrated using solid lines.

Alternatively, the dotted lines may represent that the event was not detected at any one source but instead is an inference from the event's appearance in the reference model 730. For example, the dotted box surrounding the “www.web1.com resolves to 199.16.199.2” event 750 may represent that no source connected to the MDVS 200 via the network 240 observed the “www.web1.com resolves to 199.16.199.2” event 750. Instead, based on the similarities between the association 740 and the reference model 730, the matching logic 213 inferred that the “www.web1.com resolves to 199.16.199.2” event 750 should be included and may have occurred but its observance did not occur.

In one embodiment, the data may have only provided one source of evidence of the occurrence of existence of the events illustrated using dotted lines whereas the first confidence requires Y or more sources of evidence are state that an event occurred or existed (wherein Y>2). Alternatively, or in addition, the dotted lines may represent that the machine learning logic 211 has inferred that the events illustrated using dotted lines occurred or existed. Through machine learning, the machine learning logic 211 may have recognized that the events illustrated using dotted lines typically occur or exist when one or more of the events illustrated using solid lines were observed and therefore infer that it is likely the events illustrated dotted lines occurred or existed but were not observed with the first confidence. For example, the machine learning logic 211 may recognize that when an executable file (e.g., 4.exe 720) generates a mutex which is followed by the hiding of files and tampering with network settings, it is likely that the website “www.web1.com” resolves to the IP address “199.16.199.2” and source (e.g., TDP 260 ₁) connected to the IP address “199.16.199.2” based on the reference model 730.

Referring to FIG. 7C, the association 740 is fully illustrated such that the relationships between the event 4.exe 720 and the events 1_M.exe 721, “hidden files” 722, “tampered files” 723, “disabled taskmanager” 724, “www.web1.com resolved to 208.73.211.247” 750, “208.73.211.247” 751 and C:/Windows/4.exe 725 are present in the comparison 700. As was discussed regarding FIG. 7B, the machine learning logic 211 may infer one or more relationships based on at least a comparison 700 of the association 740 with the reference model 730. Therefore, the comparison 700 as illustrated in FIG. 7C provides the matching logic 213 the association of the event 4.exe 720 with the events 721-725, 750 and 751 allowing the matching logic 213 to make a determination as to whether the association 740 matches with the reference model 730.

Based on FIGS. 7A-7C, the matching logic 213 may ascertain what malicious events occurred or existed, the relationships between the one or more events as well as the confidence of the machine learning logic 211 of the occurrence or existence of a particular event and/or relationship. The comparison 700 in FIGS. 7A-7C performed by the matching logic 213 to compare the association of observed and/or inferred events with a reference model allowing the matching logic 213 to determine the extent of malicious activity that may have occurred and what files, processes, locations, etc. may have been affected.

Furthermore, the matching logic 213 may determine whether a correlation exists between the reference model 730 and the association 740 depending on predetermined characteristics and thresholds. For example, the matching logic 213 may find a correlation when Z specific events are found to match in the reference model 730 and the association 740 (wherein Z is a predetermined number). Alternatively, the matching logic 213 may determine a correlation exists if a predetermined number of events and/or relationships are found to match between the reference model 730 and the association 740. In yet another embodiment, the matching logic 213 may find a correlation if a predetermined number of events and/or relationships are found to match and one or more events and/or relationships are not present in both of the reference model 730 and the association 740. Any combination of the above scenarios may be used to determine whether a correlation is present between the reference model 730 and the association 740. The machine learning logic 211 may store these correlations in the machine learning data store 211 as a way of “learning” when one or more malicious events and/or relationships may be inferred.

Referring to FIG. 7D, an enhancement to the reference model 730 is shown. The event “Disabled TaskManager 724” has been added to the reference model 730 and is illustrated with a dotted and dashed line. In addition, the relationship between the process 1.exe 701 and the event “Disabled TaskManager 724” is also present in the reference model 730 similarly illustrated with a dotted and dashed line. As a result of the data transmitted to the MDVS 200, and optionally, in addition to the data stored in the event log 232 and/or the machine learning data store 212, the machine learning logic 211 may determine that there is sufficient correlation between an event and/or relationship and a reference model such that the event and/or relationship should be added to the reference model.

In one embodiment, a “sufficient correlation” may include the event and/or relationship appearing within a grouping of events a predetermined number of times. For example, if the event “Disabled TaskManager 724” appears X number of times (wherein X is a predetermined threshold) when a process (e.g., 4.exe 720) generates a mutex, hides files and tampers with network settings, the event “Disabled TaskManager” 724 will be added to the reference model including those events. Referring back to FIG. 1, the addition of event “Disabled TaskManager 724” and the relationship between the between the process 1.exe 701 and the event “Disabled TaskManager 724” is illustrated in FIG. 1 as “exploit detection feedback” from block 130 to block 120. The addition of one or more events and/or relationships to a reference model constitutes exploit detection feedback as illustrated in FIG. 1. The one or more events and/or relationships determined by the matching logic 213 and/or the machine learning logic 211 to be added to one or more reference models may be transmitted to the reference model generation logic 215. The gathering logic 212 may gather the reference models to be updated from the machine learning data store 214. The reference model generation logic 215 may then perform an updating process to the one or more gathered reference models by adding the one or more events or relationships into the one or more reference models. The reference models that are to be updated may be determined by gathering all reference models having one or more common events and/or relationships with the reference model used in the comparison or all reference models included in the machine learning data store 214. Alternatively, reference models to be updated may be selected based on file types included in the reference models and/or a source that observed the events included in the reference models (e.g., email TDS, web TDS, file TDS and/or mobile TDS).

The enhanced reference model 730 may be used to update and/or allow for more particularized exploit detection. For example, the enhanced reference model 730 may be used by, among others, the management system 242 to further configure or reconfigure one or more of the sources (e.g., the endpoint device 250 ₁ and/or the TDS 260 ₁). The reconfiguration or further configuration may entail, for example, configuring the one or more sources to search one or more pieces of network traffic for an extended amount of time, search the one or more pieces of network traffic multiple times and/or search for different malware exploits and/or certain events and/or relationships.

Alternatively, or in addition to, the enhanced reference model 730 may provide a means for updating one or more correlation rules for classifying malware (e.g., updating signatures or rules for determining whether an object of network traffic is suspicious and/or configuring and/or reconfiguring one or more virtual machines (VMs) included in one or more sources). Such updated signatures may be more robust due to the more complete picture of a malware exploit the updated signature provides. In one embodiment, the enhanced reference model 730 may provide improved alerts and recognition of malware based on the enhancement.

Referring to FIG. 8, an exemplary illustration of a comparison 800 of reference models 820 and 821 with an association of potentially malicious observed events is shown. Similar to FIGS. 7A-7C, the comparison 800 includes a left side and a right side. However, in contrast to FIGS. 7A-7C showing a single reference model, the left side of the comparison 800 includes the reference model 820 and the reference model 821. One embodiment of the generation process of the association of potentially malicious events 822 (the association 822) is similar to the embodiment describing FIGS. 7A-7C. Furthermore, in the embodiment of FIG. 8, the machine learning logic 211 may infer events and/or relationships from two reference models.

In FIG. 8, the association 822 is seen to have solid lines illustrating the Event_A_1 802 and the Event_G_1 805. In addition, the relationship connecting the Process_C_1 810 with the Event_A_1 802 and Event_G_1 808 are illustrated using solids lines. Therefore, FIG. 8, illustrates the Event_A_1 802 and the Event_G_1 808 and the connections (i.e., relationships) between the Process_C_1 810 and the events Event_A_1 802 and Event_G_1 808 were observed with at least a first confidence by one or more of the sources connected to, for example, the network 240 of FIG. 2.

Furthermore, the events Event_D_1 805 and Event_F_1 807 as well as the connections between the Process_C_1 810 and the events Event_D_1 805 and Event_F_1 807 are illustrated as dotted lines meaning these events and connections were inferred from the Process_A_1 801 and/or the Process_B_1 809. As can be seen in FIG. 8, the reference model 820 includes the Event_D_1 805. The reference model 821 includes the Event_F_1 807. In addition, not all events present in one or more of the reference models need to be inferred as occurring within the received data. For example, the events Event_B_1 803 and Event_C_1 804 was not inferred by the machine learning logic 211 as having occurred with the association 822. In one embodiment, the received data along with the reference models available to the machine learning logic 211 may not have supported such an inference.

B. Malware Family Reference Model Generation

Malware family generation is the generation of comprehensive signatures used to identify one or more anomalous, or more specifically malicious, files, processes, etc., and/or relationships that are related through, among others, the evolution of a malware, a common point of attack or attack pattern (e.g., multiple pieces of malware gaining unauthorized access to the same file or process within an operating system), a common method of entering a network or electronic device (e.g., embedded software in an email or embedded software in a portable document format (PDF) file), a common targeted vulnerability (e.g., a common exploit kit), a common targeted information and/or a common targeted unauthorized access point. The generation of a malware family reference model may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like.

Upon the triggering of the generation of a malware family reference model, the gathering logic 212 of the machine learning logic 211 initially gathers a plurality of appropriate reference models stored in the machine learning data store 214. The gathering logic 212 determines which reference models are appropriate for generation of a malware family reference model based on one or more characteristics of the triggering event and/or the plurality of reference models currently stored in the machine learning data store 214. The matching logic 213 of the machine learning logic 211 compares the received data and the one or more reference models gathered by the gathering logic 212.

In one embodiment, the reference models stored in the machine learning data store 214 may all include one or more common events and/or relationships and therefore all reference models may be used to generate a family malware reference model. Alternatively, appropriate reference models for generating a malware family reference model may be selected based on file types included in the reference models and/or a source that observed the events included in the reference models (e.g., email TDS, web TDS, file TDS and/or mobile TDS). Furthermore, if a network administrator manually triggers the generation of a reference model, the network administrator may manually select one or more of the above characteristics for the gathering logic 212 to use in its determination of what reference models in the machine learning data store 214 are appropriate to include in the reference model generation.

Once the reference models that will be used to generate a malware family reference model have been gathered by the gathering logic 212, the reference models are passed to the reference model generating logic 215. As will be discussed below in relation to FIG. 9, the reference model generating logic 215 generates a malware family reference model by computing the mathematical union between the plurality of reference models gathered by the gathering logic 212.

Referring to FIG. 9, an exemplary illustration of a process of generating a malware family reference model is shown. The generation process 900 performed by the reference model generation logic 215 of FIG. 2 includes a left side and a right side. The left side includes two reference models, the reference models 930 and 931. The reference model 930 includes the Process_A_2 901 and the events Event_A_2 902, Event_B_2 903, Event_D_2 905 and Event_E_2 906. The reference model 931 includes the Process_B_2 908 and the events Event_A_2 902, Event_B_2 903, Event_C_2 904, Event_E_2 906 and Event_F_2 907.

The malware family reference model 940 has been generated from the reference models 930 and 931. The reference model generation logic 215 compares two or more reference models in order to generate a malware family reference model. The reference model generation logic 215 generates the malware family reference model by placing all distinct events in the two or more reference models compared (e.g., the mathematical union of the two or more reference models compared) into the malware family reference model (e.g., the malware family reference model 940).

As illustrated in FIG. 9, the malware family reference model 940 contains all distinct events included in the reference models 930 and 931. In particular, the reference model generation logic 215 generates the malware family reference model 940 by placing the events the reference model 930 has in common with the reference model 931 (the events Event_A_2 902, Event_B_2 903, Event_C_2 904 and Event_E_2 906) in the malware family reference model 940. The reference model generation logic 215 also places any events included in the reference model 930 in the malware family reference model 940 that are not included in the reference model 931 (the events Event_D_2 905). To conclude, the reference model generation logic 215 places any events included in the reference model 931 in the malware family reference model 940 that are not included in the reference model 930 (the events Event_F_2 907). The process of placing events in common or events included in less than all of the reference models compared to generate a malware family reference model may be done in any order.

The malware family reference model 940 also includes the process Process_C_2 910. This process may be equivalent to any of the processes included in one or more of the reference models compared to generate the malware family reference model (e.g., the processes Process_A_2 901 and Process_B_2 908).

The reference models used by the machine learning logic 211 to generate malware family reference models may be stored in the machine learning data store 214 and/or the event log 232, and/or received over the network 240. In addition, signatures generated in accordance with the discussion of FIGS. 14A and 14B may be used in the generation of malware family reference models.

C. Visualization

As mentioned above, interactive display screens comprising FIGS. 7A-7C may be generated by the display generation logic 211 of the UI rendering subsystem 220. In such an embodiment, the interactive display screens illustrating FIGS. 7A-7C may give a viewer a side-by-side visual comparison of a reference model and an association of potentially malicious events (e.g., at least a portion of data received over the network 240). A side-by-side visual comparison may allow a viewer to understand the source of the anomalous behavior as well as determine what files, processes, network settings, etc., and/or relationships that may have been affected.

Referring to now FIG. 10, an exemplary embodiment of an interactive display screen 1000 for display of associated events and/or particulars of the associated events used in generating the interactive display screens of FIGS. 12-14B is shown. Herein, rendered by the UI rendering subsystem 220, the interactive display screen 1000 features a plurality of display areas 1010 and 1030 that illustrate information directed to events and particulars of the observed events over a time period by the one or more sources (the endpoint devices 250 ₁ and 250 ₂, the TDSes 260 ₁-260 ₃ and/or the cloud computing services 241 of FIG. 2) and or the management system 242 of FIG. 2.

According to one embodiment, the display area 1010 displays a plurality of entries 1020 ₁-1020 _(R) (R>1, where R=9 for this embodiment) that provides information directed to observed events, where one or more events are anomalous or malicious. As shown, each row of entries (e.g., row 1020 ₁) rendered by the UI rendering subsystem 220 features a plurality of fields, including one or more of the following: (1) a date and time of the observation 421; (2) an event name 422; (3) a process identification (PID) 423 (if applicable); (4) a path directing the viewer to the location at which the event may be located 424; and/or (5) a source that observed the event (e.g., email TDS, web TDS, file TDS and/or mobile TDS).

A second area 1030 may be configured to allow selection of one or more observed potentially malicious events for viewing on a second visual representation. In one embodiment, when an observed event has been selected, the row may appear highlighted as is seen in FIG. 10. The buttons 1040 and 1041 enable viewing of an interactive visual representation (e.g., nodal diagram) of the selected events as they relate to one or more events within the display area 1010 and/or as they compare to one or more reference models of known anomalous or malicious behaviors. For example, based on the exemplary embodiment of FIG. 10 in which entry 1020 ₂ is selected, activation of the button 1040 labeled “Exploit Visualization” would subsequently present an interactive display screen of the relationships of the observed event represented in entry 1020 ₂ to other events, including perhaps one or more events appearing in display area 1010 (to be described below). Similarly, activation of the button 1041 labeled “Timeline Visualization” would subsequently present a second interactive display screen of the relationships of the observed event represented in the selected entry 1020 ₂ to other events, including perhaps one or more events appearing in display area 1010 (to be described below). Alternatively, activation of the button 1042 labeled “Generate Signature” would request the machine learning logic 211 of FIG. 2 to generate a signature based on the selected event and, in one embodiment, any subsequent events branching from the selected event (to be discussed in detail below).

One or more interactive display screens may be comprised of, among other things, a top-down nodal or tree diagram (e.g., an “exploit visualization”) or a left-to-right nodal or tree diagram (e.g., “a timeline visualization”). A time axis is illustrated in FIG. 12 and will be discussed below. Particulars of the events may be included to provide a detailed understanding of, among other things, where events are located within an electronic device or various methods of identifying one or more events (e.g., file/process name or PID). In addition, the interactive display screen may provide the viewer an understanding of how the event was detected by color-coding the events or providing various line formatting (e.g., dashed lines, solid lines, double lines, etc.) based on, for example, the portion of a TDS or endpoint device that observed the event. Alternatively, the illustration of the events may be color-coded based on the type of event. Additionally, the display may be a static visual representation of the one or more relationships between one or more events.

In addition, a rank may be assigned to the events included in a nodal diagram. For example, when an association of events are illustrated as a top-down nodal diagram, each row of events may be considered to have the same rank, wherein a first event appearing above a second event has a higher rank than the second event. Alternatively, when an association of events are illustrated as a left-to-right nodal diagram, each column of events may be considered to have the same rank, wherein a first event appearing to the left of a second event has a higher rank than the second event.

Referring to FIG. 11, an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML is shown. As described above, the machine learning logic 211 generates interactive display screen information for the visual representation of one or more relationships between one or more events and the particulars of the events. FIG. 11 illustrates one embodiment of data detailing the relationship of a first event to a second event and the relationship of the first event to a third event. For example, lines 5-6 denote the first and second events (node 1 and node 2 as “process_1” and “registry_1,” respectively). Line 9 denotes the relationship before the first and second events (edge 1 as “node_1.created/changed-properties.node_2”). Similarly, Lines 12-20 represent details of the relationship between the first event and the third event.

The data illustrated as FIG. 11 may represent the interactive display screen information used by the display generation logic 221 to generate a display for viewer. For example, the data illustrated in FIG. 11 is used by the display generation logic 221 to generate a portion of FIGS. 12 and 13 as discussed below.

Referring now to FIG. 12, an exemplary illustration of a first embodiment of an interactive display screen for display of associated events and particulars of the associated events is shown. In FIG. 12, the interactive display screen 1200, depicted as a nodal diagram, illustrates the associated events at a high-level allowing a viewer to obtain an understanding of the relationships between one or more observed events wherein one or more anomalous behaviors are present. An anomalous behavior may be (i) a suspicious event or relationship that was observed by one or more of the sources (the endpoint devices 250 ₁ and 250 ₂, the TDSes 260 ₁-260 ₃ and/or the cloud computing services 241) or (ii) a malicious event or relationship observed by one or more of the sources. For example, a malicious event may cause performance of one or more actions that result in one or more malicious behaviors and/or one or more non-malicious behaviors. In general, the depiction of a first event appearing vertically above a second event is intended to illustrate that the first event was observed at a time prior to the second event. Similarly, a depiction of a second event appearing vertically equivalent (e.g., aligned in a row) with a third event, wherein the second event appears to the left of the third event, is intended to illustrate that the second event was observed at a time prior to the third event. It should be noted that exceptions may occur and labeling of such exceptions (e.g., by the use of numbering events and/or relationships) may be used to denote such exceptions to the viewer (numbering of exceptions will be illustrated in and described along with FIG. 13).

In FIG. 12, the Parent_Process_1 1201 is seen to cause an action or operation resulting in the Process_1 1202 at a first time. In one embodiment, the Parent_Process_1 1201 may be a malicious event and starting the Process_1 1202 may constitute a malicious action or operation (e.g., if the Process_1 1202 is also a malicious event and/or if the starting of the Process_1 1202 was not a normal function of the electronic device on which the action or operation occurred (or virtual machine performing processing of the Parent_Process_1 1201)). Alternatively, the Parent_Process_1 1201 and/or the Process_1 1202 may be non-malicious events and the starting of the Process_1 1202 may be construed as a non-malicious action or operation.

In addition, the Process_1 1202 causes the performance of one or more actions or operations that result in the events including: (i) the Registry_1 1203; (ii) the File_1 1204; (iii) the File_2 1205; and (iv) the Process_2 1206. Similarly, the File_1 1204 is depicted as causing the performance of an action or operation that results in the Process_3 1207. Furthermore, the Process_2 1206 is depicted as causing the performance of an action or operation that results in the File_3 1208.

Therefore, according to one embodiment, when the interactive display screen 1000 of FIG. 10 is viewed and the button 1440 (“Exploit Visualization”) is activated, the interactive display screen 1200 is displayed using the information included in the interactive display screen 1000 which may be derived from interactive display screen information expressed as XML files similar to FIG. 11.

As mentioned above, a time axis 1210 is illustrated in FIG. 12. The time axis 1210 illustrates the embodiment wherein an interactive display screen (e.g., the interactive display screen 1200) is configured to illustrate an order of events in a sequential manner according to one or more time axes. The time axis 1210 shows that the events in the interactive display screen 1200 are ordered in a top-to-bottom and left-to-right manner according to the time of performance of the one or more actions or operations that resulted in the events 1201-1208. For example, the event 1202 is illustrated below the event 1201 implying that the performance of the one or more actions or operations that resulted in the event 1201 occurred prior in time to the one or more actions or operations that resulted in the event 1202. Similarly, the event 1203 is illustrated to the left of the event 1204 implying that the performance of the one or more actions or operations that resulted in the event 1203 occurred prior in time to the one or more actions or operations or behaviors that resulted in the event 1204. In another embodiment, a time axis may only comprise one axis (e.g., horizontal such as left-to-right, vertical such as top-to-bottom, etc.). Alternatively, a time axis may not be included in an interactive display screen.

In addition, a time axis may be present in an interactive display screen illustrating a left-to-right nodal diagram (e.g., an embodiment in which FIG. 7D may be used as an interactive display screen). As stated above, when a time axis is present in an interactive display screen illustrating a left-to-right nodal diagram, the time axis may comprise a single axis (e.g., only top-to-bottom) or may comprise two time axes (e.g., top-to-bottom and left-to-right).

Referring back to FIG. 2, the machine learning engine 210 analyzing observed events comprising an exploit after the occurrence of the exploit may fail to determine the source of infection. Even if the events are observed in their entirety, sometimes the voluminous manner of the observed events (events comprising both malicious events and non-malicious events) may make the determination of the presence of an exploit and/or malware difficult. Being able to compare the observed events with a reference model assists in sifting through the data and discovering the origin of infection. For example, a user may have browsed to a well-known Uniform-Resource Locator (URL) that was compromised and unintentionally downloaded malware on an endpoint. Subsequently, the malware may have stolen data and uploaded the stolen data to a foreign server. A reference model stored in the MDVS 200 may contain the sequence of such events. If the matching logic 213 of the MDVS 200 is able to match the observed events with a portion of the reference model, the machine learning logic 211 may infer that all of the events occurred although not all of the events were observed based on the sequential ordering of the reference model. The matching logic 213 may determine that one or more events in the reference model were not observed, or were not observed with at least a first confidence. For example, based on the sequential ordering of the events and the time axis of the reference model, the machine learning logic 211 may infer that an event_B occurred prior to an event_C but subsequent to an event_A, although event_B was not observed by at least one source (e.g., the endpoint device 250 ₁).

In addition, the machine learning logic 211 may trace the root cause of the exploitation back to the initial visit to the compromised URL based on a time axis and the sequential ordering of the events in the reference model. In one embodiment, the presence of a time axis on an interactive display screen may allow a viewer, such as a network adminstrator, to visually understand which event was the root cause of the exploit.

Referring to FIG. 13, an exemplary illustration of a detailed embodiment of the interactive display screen of FIG. 12 is shown. In addition to events 1201-1208 of FIG. 12, interactive display screen 1300 illustrates events 1301-1306 corresponding to the Registry_2, the Registry_3, the Registry_4, the File_4, the Folder_1 and the File_5, respectively. In particular, the Process_3 1207 causes the performance of one or more actions or operations that result in events 1301-1306.

In addition to providing a visual representation of how the events 1201-1208 and 1301-1306 are related, the interactive display screen 1300 displays one or more particulars of each event. For example, the path (“c:/doc1/local1/temp/4.exe”) and the PID (“1676”) are displayed for the Process_1 1202. The particulars displayed for each event may differ, for example, only the path of an event may be displayed as is the case with the File_1 1204 in the present embodiment.

Furthermore, the interactive display screen 1300 provides the viewer with the relationship between two events and the timing of the observation of the relationship. For example, the relationship between the Process_1 1202 and the File_1 1208 is the third relationship generated of the relationships displayed in the interactive display screen 1300. In addition, the relationship between the Process_1 1202 and the File_1 1208 is seen to be “created.” Therefore, from the interactive display screen 1300, a viewer can easily determine that, of the events and relationships included in the display screen 1300, the operation of the Process_1 1202 creating the File_1 1204 was the third relationship created. The Process_1 1202 then opens the File_2 1205 and starts the Process_3 1207 (which is the File_1 1204 being launched as a process as the File_1 1204 is an executable file). In addition, the Process_1 1202 starts the Process_2 1206 as the seventh relationship.

The Process_2 1206 deletes the File_3 1208 as the eighth relationship. Subsequently, the Process_3 1207 sets the name/value pair for the Registry_2, the Registry_3 and the Registry_4 as the ninth, tenth and eleventh relationships respectively. The Process_3 1207 then opens the Registry_5, the Folder_1 and the File_5 as the twelfth, thirteenth and fourteenth relationships respectively.

V. Signature Generation

As mentioned above, one embodiment of the invention enables a viewer to generate one or more signatures from the interactive display screens of, for example, FIGS. 10 and 12-14B. In one embodiment, the viewer may select an event and generate a signature based on the event including any events that directly and/or indirectly branched from the selected event. In a second embodiment, the viewer may select a particular grouping of events and generate a signature limited to those selected events. The generated signatures may be stored in the machine learning data store 214 of FIG. 2 to be used in future comparisons of one or more reference models of a plurality of events and at least one or more relationships where at least one of these events and/or relationships is an anomalous behavior or known to be malicious. In addition, signatures generated from a first set of data received from a first endpoint device may be compared to similar signatures generated from a second set of data received from a second endpoint device in order to determine whether an event frequently appears across multiple endpoint devices (e.g., correlated operations or actions across endpoint devices). The frequent appearance of an event across multiple endpoint devices may imply that the event is malicious (e.g., an exploit), or at least suspicious. In addition, the frequent appearance of one or more events across multiple endpoint devices (or other sources that supply data to the MDVS 200) may indicate that the one or more sources is associated with a malware family.

Referring to FIG. 14A, an exemplary illustration of a portion of an interactive display screen for enabling a viewer to generate a signature of a selected event, display particulars of the selected event and/or generate an alert for a selected event is shown. FIG. 14A illustrates a viewer selecting an event (e.g., the Process_2 1206 of FIG. 12) which brings up an overlaying pop-up box 1410 allowing the viewer to select to “Generate Signature 1411,” “Display Info Parameters 1412” or “Generate Alert 1413.” The selection of “Generate Signature 1411” enables the viewer to generate a signature (e.g., a reference model) based on the selected event. The signature may include all events that are a direct or indirect branch from the selected event. For example, a viewer selecting “Generate Signature 1411” for the Process_2 1206 may generate a signature including the Process_2 1206 and the File_3 1208 (as is seen in FIG. 12). The selection of “Display Info Parameters 1412” for the Process_2 1206 would display an interactive display screen including the information included in the row 1020 ₆ of FIG. 10. The selection of “Generate Alert 1413” enables a viewer to generate a rule for the MDVS 200 to issue an alert when the selected event is observed by an endpoint device or other source. Therefore, according to the example in FIG. 14A, when a viewer selects “Generate Alert 1413” for the Process_2 1206, the MDVS 200 will issue an alert to the viewer notifying the viewer of the observation of the Process_2 1206 at an endpoint device. In one embodiment, the MDVS 200 will issue the alert when the MDVS 200 receives data containing an observation of the Process_2 1206. In a second embodiment, the MDVS 200 may notify the management system 242 of the creation of the rule and the management system 242 may propagate the rule to each source connected to the network 240 (the endpoint devices 250 ₁-250 ₂, the TDS 260 ₁-260 ₃ and the cloud computing services 241).

Referring back to FIG. 1, the selection of one or more of “Generate Signature 1411,” “Display Info Parameters 1412” or “Generate Alert 1413” is equivalent to the “Interactive Display Screen Input” illustrated in FIG. 1. The interactive display screen input is transmitted from block 150 to block 120. In particular, the data obtained from the selecting “Generate Signature 1411” includes the particulars of the selected event (e.g., the Process_2 1206 as seen in FIG. 14A) and potentially the events branching from the selected event and the relationships that connect the selected event and any branched events. This data obtained from the selection of “Generate Signature 1411” may be stored as a signature/reference model in the machine learning data store 214 for use in future exploit detection processes and/or reference model generation processes.

The selection of “Display Info Parameters 1412” may result in a query by the gathering logic 212 to the machine learning data store 214 and/or the event log 232 to gather the particulars of the selected process. The machine learning logic 211 may generate interactive display screen information based on the data gathered by the gathering logic 212. The display generation logic 221 may use the interactive display screen information to generate a display in a layout similar to the display screen of FIG. 10.

The selection of “Generate Alert 1413” may result in the gathering of the particulars of the selected process, any events that are branched from the selected event and any relationships connecting the branched events by the gathering logic 212 and the generation of an alert by the machine learning logic 211.

It should be noted that, although in the above paragraphs information (e.g., the particulars) of branched events and the corresponding relationships may be gathered as well as the selected event, the particulars of only the selected event may be gathered as well. The system may be set up to gather either, or a network administrator may be able to adjust how the system responds to a selection of one or more of “Generate Signature 1411,” “Display Info Parameters 1412” and/or “Generate Alert 1413.”

Referring to FIG. 14B, an exemplary illustration of a second embodiment of an interactive display screen for enabling a viewer to generate a signature of a selected event is shown. FIG. 14B illustrates that a viewer has selected a particular grouping of events (the Process_3, the Registry_2, the Registry_3, the File_4 and the Folder_1) for which the viewer may generate a signature by selecting “Generate Signature 1411.” The generated signature in FIG. 14B differs slightly from that of FIG. 14A in the sense that the signature of 14A may include all of the events branching directly and/or indirectly from the selected from. FIG. 14B does not include the event File_5 1406. The exclusion of the event File_5 1406 may be a result of the viewer knowing whether the event File_5 1406 are not malicious and therefore should be not included in a reference model. The selection of “Generate Signature 1411” in FIG. 14B has the same effect as discussed in reference to FIG. 14A above.

Referring to FIG. 15, is an exemplary portion of the generated signature (corresponding to the selected section in FIG. 14B) expressed in XML. The data illustrated by FIG. 15 represents the XML generated when a viewer generates a signature from the interactive display screen 1300 as illustrated in FIG. 14B. As seen in FIG. 14B, a portion of the interactive display screen 1300 has been manually selected by a user and an input (e.g., clicking of a button on a mouse) allows the viewer to generate a signature by activating the option labeled “Generate Signature” 1411. The data illustrated in FIG. 15 may be stored in the machine learning data store 214 and used by the reference model generation logic 215 and/or the matching logic 213 to either generate a reference model or perform an exploit detection process, respectively.

In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims. 

What is claimed is:
 1. A cloud-computing system comprising: one or more processors; and a non-transitory storage module communicatively coupled to the one or more processors, the non-transitory storage module comprises logic, upon execution by the one or more processors, that: observes a plurality of events within data received by the cloud-computing system over a network; accesses a first set of information that comprises (i) information directed to the plurality of events, and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of events, generates a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of events, a second event of the plurality of events, and a first relationship that identifies that the second event is based on the first event, generates an interactive, graphical display illustrating at least a subset of the plurality of events and the one or more relationships included in the reference model, wherein the interactive, graphical display represents the reference model as either a timeline visualization or an exploit visualization in the form of a nodal diagram with the subset of the plurality of events represented as nodes and a relationship of the subset represented as connections between the nodes on the graphical display, receives user input via the interactive, graphical display corresponding to selection of a grouping of selected nodes and one or more selected connections of the subset via the interactive, graphical display, wherein the grouping by the user input indicates one or more of the nodes or one or more of the connections in the grouping is anomalous or suspicious or indicates a cyber-attack, and responsive to receiving the user input, generates a signature representing the grouping.
 2. The system of claim 1, wherein an anomalous grouping includes a file opened by a first process, wherein the file is configured to be opened by a second process that is different from the first process and is not configured to be opened by the first process.
 3. The system of claim 1, wherein the generating of the reference model by the logic comprises determining that the first event of the plurality of observed events performed at least one of an action or an operation, the at least one of the action or the operation results in an observance of subsequent events of the plurality of observed events including the second event of the plurality of observed events.
 4. The system of claim 1, wherein at least one event of the first plurality of events is a first observed anomalous behavior, and at least one relationship of the one or more relationships is a second observed anomalous behavior.
 5. The system of claim 1, wherein the logic includes a machine learning engine to compare the plurality of events with events exhibited by known malware to determine that the plurality of events are indicative of malware.
 6. The system of claim 5, wherein the machine learning engine combines the signature comprising a second reference model associated with the malware with one or more other reference models to generate a malware family reference model.
 7. The system of claim 1, wherein operations performed by the logic are implemented as a forensic investigative tool configured to analyze malicious events or potentially malicious events included in the plurality of events.
 8. The system of claim 1, wherein the first relationship identifies a causal association between the first event and the second event.
 9. The system of claim 1, wherein generation of the reference model is performed by a machine learning engine.
 10. The system of claim 9, wherein the machine learning engine is activated automatically to generate the reference model in response to an alert condition that signifies detection of a malicious event.
 11. The system of claim 9, wherein the machine learning engine is activated manually by a user selecting the grouping and operates on at least the selected grouping.
 12. The system of claim 9 wherein the machine learning engine.
 13. The system of claim 1, wherein the signature comprises a second reference model utilized for comparison against events observed at a later time for cyber-attack detection.
 14. The system of claim 1, wherein the data comprises log data received by the cloud computer system from one or more endpoints, threat detection systems or cloud computer systems.
 15. The system of claim 1, wherein the logic is coupled with a user interface rendering subsystem that generates one or more interactive display screens to allow a user to select displayed malicious events in order to acquire additional information about the grouping.
 16. The system of claim 1, wherein the logic generates the interactive, graphical display by at least displaying on a display screen a side-by-side comparison of the reference model and a reference model of known malicious events.
 17. The system of claim 16, wherein the logic includes matching logic to infer one or more events or one or more relationships based on the side-by-side comparison which inferred events or relationships were absent from the observed events and the one or more relationships.
 18. The system of claim 1, wherein the interactive, graphical display includes a generate signature button to activate the generation of the signature on the grouping.
 19. The system of claim 18, wherein the signature is generated representing the selected grouping and one or more events branching from the selected grouping.
 20. The system of claim 1, wherein the interactive, graphical display includes a generate alert button, which, when activated, issues an alert with respect to a selected grouping.
 21. A method comprising: observing a plurality of events within data received by a cloud-computing system over a network; accessing a first set of information that comprises (i) information directed to the plurality of events, and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of events; generating a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of events, a second event of the plurality of events, and a first relationship that identifies that the second event is based on the first event; generating an interactive, graphical display illustrating at least a subset of the plurality of events and relationships included in the reference model, wherein the interactive, graphical display represents the reference model as either a timeline visualization or an exploit visualization comprising a nodal diagram with the subset of the plurality of events represented as nodes and the subset of a relationships represented as connections between the nodes on the graphical display; receiving user input corresponding to selection of a grouping of a plurality of selected nodes and one or more selected connections of the subset via the interactive, graphical display, wherein the grouping of the nodes or the one or more connections is anomalous or suspicious or indicates one or more nodes or one or more of the connections is anomalous, suspicious or indicates a cyber-attack; and responsive to receiving the user input, generating a signature representing the grouping.
 22. The method of claim 21, wherein an anomalous grouping includes a file opened by a first process, wherein the file is configured to be opened by a second process that is different from the first process and is not configured to be opened by the first process.
 23. The method of claim 21, wherein the generating of the reference model comprises determining that the first event of the plurality of observed events performed at least one of an action or an operation, the at least one of the action or the operation results in an observance of subsequent events of the plurality of observed events including the second event of the plurality of observed events.
 24. The method of claim 21, wherein at least one event of the first plurality of events is a first observed anomalous behavior, and at least one relationship of the one or more relationships is a second observed anomalous behavior.
 25. The method of claim 21, wherein the method is implemented as a forensic investigative tool configured to determine malicious events.
 26. The method of claim 21, wherein the first relationship identifies a causal association between the first event and the second event.
 27. The method of claim 21, wherein generation of the reference model is performed by a machine learning engine.
 28. The method of claim 21, wherein the machine learning engine is activated automatically to generate the reference model in response to an alert condition that signifies detection of a malicious event.
 29. The method of claim 21, wherein the signature comprises a second reference model utilized for comparison against events observed at a later time to detect or otherwise analyze a cyber-attack. 